Upgrade to Snort 2.8.4
Sourcefire has changed the dcerpc preprocessor in Snort, so you have to upgrade to 2.8.4 if you want netbios rules to continue to work. This is the procedure I followed to upgrade my snort boxes.
Get Snort 2.8.4
Build and install snort
Replace old netbios rules
Disable old dcerpc processor:
In snort.conf:
Enable new dcerpc processor
In snort.conf:
Get Snort 2.8.4
# wget http://www.snort.org/dl/snort-2.8.4.tar.gz
Build and install snort
# tar zxvf snort-2.8.4.tar.gz
# cd snort-2.8.4
# ./configure --with-mysql --enable-dynamicplugin
# make
# service snort stop
# make install
Replace old netbios rules
# wget http://www.snort.org/vrt/tools/dcerpc2-snort-2.8.4-RC-1.rules
# cp /etc/snort/rules/netbios.rules /etc/snort/rules/netbios.rules.old
# cp dcerpc2-snort-2.8.4-RC-1.rules /etc/snort/rules/netbios.rules
Disable old dcerpc processor:
In snort.conf:
#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000
Enable new dcerpc processor
In snort.conf:
preprocessor dcerpc2
preprocessor dcerpc2_server: default
1 Comments:
wget http://www.snort.org/vrt/tools/dcerpc2-snort-2.8.4-RC-1.rules Link is broken...
Riley
Post a Comment
<< Home